CVE-2021-1385 - OpenCVE

A vulnerability in the Cisco IOx application hosting environment of multiple Cisco platforms could allow an authenticated, remote attacker to conduct directory traversal attacks and read and write files on the underlying operating system or host system. This vulnerability occurs because the device does not properly validate URIs in IOx API requests. An attacker could exploit this vulnerability by sending a crafted API request that contains directory traversal character sequences to an affected device. A successful exploit could allow the attacker to read or write arbitrary files on the underlying operating system.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Cisco	Ios Ios Xe

Configuration 1 [-]

OR	cpe:2.3:o:cisco:ios:15.8\(3\)m2a:::::::*
	cpe:2.3:o:cisco:ios:15.8\(3\)m3:::::::*
	cpe:2.3:o:cisco:ios:15.8\(3\)m4:::::::*
	cpe:2.3:o:cisco:ios:15.8\(3\)m5:::::::*
	cpe:2.3:o:cisco:ios:15.8\(3\)m6:::::::*
	cpe:2.3:o:cisco:ios:15.9\(3\)m:::::::*
	cpe:2.3:o:cisco:ios:15.9\(3\)m1:::::::*
	cpe:2.3:o:cisco:ios:15.9\(3\)m2:::::::*
	cpe:2.3:o:cisco:ios:15.9\(3\)m2a:::::::*
	cpe:2.3:o:cisco:ios:15.9\(3\)m3:::::::*
	cpe:2.3:o:cisco:ios_xe:16.11.1:::::::*
	cpe:2.3:o:cisco:ios_xe:16.11.1a:::::::*
	cpe:2.3:o:cisco:ios_xe:16.11.1b:::::::*
	cpe:2.3:o:cisco:ios_xe:16.11.1c:::::::*
	cpe:2.3:o:cisco:ios_xe:16.11.1s:::::::*
	cpe:2.3:o:cisco:ios_xe:16.11.2:::::::*
	cpe:2.3:o:cisco:ios_xe:16.12.1:::::::*
	cpe:2.3:o:cisco:ios_xe:16.12.1a:::::::*
	cpe:2.3:o:cisco:ios_xe:16.12.1c:::::::*
	cpe:2.3:o:cisco:ios_xe:16.12.1s:::::::*
	cpe:2.3:o:cisco:ios_xe:16.12.1t:::::::*
	cpe:2.3:o:cisco:ios_xe:16.12.1w:::::::*
	cpe:2.3:o:cisco:ios_xe:16.12.1x:::::::*
	cpe:2.3:o:cisco:ios_xe:16.12.1y:::::::*
	cpe:2.3:o:cisco:ios_xe:16.12.1z:::::::*
	cpe:2.3:o:cisco:ios_xe:16.12.1z1:::::::*
	cpe:2.3:o:cisco:ios_xe:16.12.1za:::::::*
	cpe:2.3:o:cisco:ios_xe:16.12.2:::::::*
	cpe:2.3:o:cisco:ios_xe:16.12.2a:::::::*
	cpe:2.3:o:cisco:ios_xe:16.12.2s:::::::*
	cpe:2.3:o:cisco:ios_xe:16.12.2t:::::::*
	cpe:2.3:o:cisco:ios_xe:16.12.3:::::::*
	cpe:2.3:o:cisco:ios_xe:16.12.3a:::::::*
	cpe:2.3:o:cisco:ios_xe:16.12.3s:::::::*
	cpe:2.3:o:cisco:ios_xe:16.12.4:::::::*
	cpe:2.3:o:cisco:ios_xe:16.12.4a:::::::*
	cpe:2.3:o:cisco:ios_xe:16.12.5:::::::*
	cpe:2.3:o:cisco:ios_xe:17.1.1:::::::*
	cpe:2.3:o:cisco:ios_xe:17.1.1a:::::::*
	cpe:2.3:o:cisco:ios_xe:17.1.1s:::::::*
	cpe:2.3:o:cisco:ios_xe:17.1.1t:::::::*
	cpe:2.3:o:cisco:ios_xe:17.1.2:::::::*
	cpe:2.3:o:cisco:ios_xe:17.1.3:::::::*
	cpe:2.3:o:cisco:ios_xe:17.2.1:::::::*
	cpe:2.3:o:cisco:ios_xe:17.2.1a:::::::*
	cpe:2.3:o:cisco:ios_xe:17.2.1r:::::::*
	cpe:2.3:o:cisco:ios_xe:17.2.1v:::::::*
	cpe:2.3:o:cisco:ios_xe:17.2.2:::::::*
	cpe:2.3:o:cisco:ios_xe:17.3.1:::::::*
	cpe:2.3:o:cisco:ios_xe:17.3.1a:::::::*
	cpe:2.3:o:cisco:ios_xe:17.3.1w:::::::*
	cpe:2.3:o:cisco:ios_xe:17.3.1x:::::::*
	cpe:2.3:o:cisco:ios_xe:17.3.2:::::::*
	cpe:2.3:o:cisco:ios_xe:17.3.2a:::::::*
	cpe:2.3:o:cisco:ios_xe:17.4.1:::::::*
	cpe:2.3:o:cisco:ios_xe:17.4.1a:::::::*
	cpe:2.3:o:cisco:ios_xe:17.4.1b:::::::*

No data.

References

Link	Providers
https://github.com/orangecertcc/security-research/security/advisories/GHSA-hhfw-6cm2-v3w5
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-pt-hWGcPf7g

History

No history.

MITRE

Status: PUBLISHED

Assigner: cisco

Published: 2021-03-24T20:07:32.277070Z

Updated: 2024-09-16T19:15:57.992Z

Reserved: 2020-11-13T00:00:00

Link: CVE-2021-1385

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-03-24T20:15:13.837

Modified: 2023-11-07T03:28:09.610

Link: CVE-2021-1385

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object